Release notes
Version 2.1.0 open source edition
This version does not include the examples. It is meant to run on PHP5 only.
If you retieved this page from a http server that supports PHP, Click
here to try it out.
This version does not include pntUnit and the unit tests.
What's new
Since 2.1.rc1
Security improvements:
- new PntSecurityExcepttion thrown when the request contains attack-like values
- PntHttpRequest offering access to all validated request variables
- Support for X-Frame-Options header, default 'DENY'
Since 2.0.0a
- Security improvements:
- the complete code of the abstact user interfaces has been reviewed and improved to protect against Cross Site Scripting
- validation of all request variables including cookies and server variables,
- some improvement of the CSRF protection,
- explicit specification of character sets,
- limitation of AJAX requests to the host the page originates from,
- can be extended by application developer for the use of UTF-8 character set,
- id's are now included in string conversion (safer for numeric ids and gives application developers control over string-ids).
- string-conversion no longer propagates erroneous values.
- Other improvements
- Domain Specific Language style api for Navigational Queries
- AJAX identifiers now allow paths to parts and subparts, used by EditDetailsPage to support AJAX refresh down to individual widgets
- More api docs in the source
- Accomodation to Historical Data Management extionsion (extension is not included in open source version)
- many small changes, see changes.txt .
Since 2.0.0
- SaveAction could not find the edited object if id > 999.
- fixed PntGen::includeClass bug: missing slash after classes folder name
- Gen removed all methods (::includeClass and tryIncludeClass because they are is not safe with register_globals ON)
Remarks for upgrading existing applications
See the release notes of the upgrade release you can download from the phpPeanuts website.
Known bugs and limitations
- Applications are only protected against cross frame scripting in browsers that support the X-Frame-Options header.
to all request from login by per-request tokens using encription-strength random numbers. (This is only relevalnt for
applications using authentication/authorization - the extension for this is not included in the open source version)
- Includes quoted parameters in SQL (should only use parameterized queries)
- With older versions of PHP and/or MySQL the character set can not be set on the connection in such a way that the
quoting functions of MySQL take the character set into account. This may be a problem with UTF-8 and if may
have security implications, possibly including SQL injection vurnerabilities. To avoid this requires:
- MySQL >= 5.0.7 or if you're using MySQL 4, then >= 4.1.13.
- PntMySqlDaro: PHP 5.0.7 or later
- PntPdoDao: PHP 5.3.6 or later
- PntMySqliDao (not included in the open source version): PHP 5.0.5 or later
- Though the framework has DAO classes that are successfully used as the database abstraction layer with MySQL
and SqLite, the use with other databases may require some additional refactoring. Please inform us about eventual
problems and solutions with the use of other databases. (Known: Oracle versions below 9 do not support standard
explicit JOIN syntax, but producing JOIN instuctions is not delegated to DAO objects and can not be easily refactored
to do so.)
- The AGPL license requires you to make the source of applications using this version
of phpPeanuts available to any users outside your own organization, and allow them forward
it to the rest of the world. An extended commercial edition is available on request under
developers licenses that do not include obligations to publish derived works etc.
For more info see the Support menu of the phpPeanuts website.